A friend of mine asked me if he could sign his tax returns without printing them out. While helping him, he insisted on naming the folder containing images of his signature and initials a completely random thing. I insisted that if someone gained access to his computer, it wouldn't matter what his files are named. He asked me to provide proof, and I couldn't think of anything. That is a ridiculous idea, isn't it?

5 Answers
5

In security, attacks are generally divided into two categories: Opportunist attacks and targeted attacks. The former are generally low-effort and low intelligence (ie, no specific information or recon on the target), the latter have to be assumed to be motivated, well-equipped, and intelligent.

The broader issue behind this question is: Does obscurity do anything to thwart attacks by either attacker?

In short, "yes", because it does offer some resistance against opportunist attackers. Attackers aren't perfect and the defender can use to their advantage by capitalizing on the attacker's laziness or ignorance. Attacks by opportunists are modeled as being generally both ignorant and lazy. Opportunist examples:

People who steal a mobile device. Someone who steals the computer (if it is a mobile device) may not look through all the files, there are stories of devices that get stolen and the contents completely ignored.

Botnets. Malware is written to work on many machines. It is unlikely to upload every single file in a user's profile directory and also unlikely to be able to recognize an image of a signature.

For such attackers, Desktop/a_copy_of_my_signature.jpg is far more likely to be carefully processed than data/misc/receipts/DATA_1/rozs/ewa34.dat.

In this case, obfuscation here improves the odds of the signature file not being discovered but it doesn't really do anything to thwart a qualified attacker, so the security gain is minimal. So it's not ridiculous to take this measure, but it is silly to rely solely on it.

More generally, obfuscation can offer a worthwhile outer layer of security in a multi-layered security system. Remember that, as the defender, you win every security battle you prevent. (But don't become too reliant on avoiding them.)

On a side note, signatures aren't that extremely important to protect. Signatures exist in so many places and this person may very well have unprotected copies of it elsewhere in his house on various documents. (Or think about celebrities whose autograph signature matches their legal signature.) And just about any system that requires a signature has mechanisms in place to deal with fraud, so most forged signatures can be contested since this is a well-worn legal path. The signature is probably worth protecting, but it's also likely that the computer is not the easiest way to get a hold of the signature should he be the target of a determined forgery attempt.

It does not, however, provide any security against a determined attacker, or one that is looking for content within files. Use encryption!
–
PolynomialOct 18 '12 at 8:45

2

Excellent answer because it points out that security through obscurity, while being disastrous as a single security control, can be a helpful enhancement in a properly layered security system. We really should stop simply repeating that security through obscurity is bad. It lowers the usefulness and scope of a discussion about security.
–
Luke SheppardOct 18 '12 at 14:45

@LukeSheppard, yes, I was trying to imply how it could be helpful in layered security. I added a statement to explicitly state that.
–
B-ConOct 19 '12 at 20:52

I agree with the general principle that one should not rely solely on obscurity for security. I would, however, like to point out there there are some attacks that obscurity does protect against. It is important to understand what a particular security measure does and does not do, instead of just reciting a slogan.

Misleading file/folder names (perhaps in conjunction with a dense forest of nested folders) does provide slight protection against an opportunistic attacker who is manually searching for files of interest.

It will not protect against a methodical, determined attacker using scripts/software to list every file on the system, and summarize/search/index content.

It's possible that obscuring the file names is the method that is most suitable for your friend.

no, security through obscurity is universally frowned upon. It's even worse than doing nothing because it shows a false sense of security that many decision makers will not understand the failing of and then divert resources from actually securing the information.

Well, explaining that should really just be step one in answering a question like this. A blanket dismissal of security through obscurity has an attached danger too. If a person has the idea that it is all the security they need, which is what your answer is trying to address, then that person will probably be out of ideas after your comment. A person who believes that this is a good way to secure data really needs some new information about how to properly secure their data, not just a dismissal of their naïveté.
–
Luke SheppardOct 21 '12 at 19:02

Yes if he is protecting it against his little sister or someone who has physical access for 2mins. No otherwise. Also note that if its called 'porn' or 'sdjfhusdhfhsduhud' which is out of the ordinary it might draw attention.

Aside from the fact that security through obscurity is generally considered to be a big "no no", I would also like to point out that someone with physical access to your hard drive, or a copy of the data contained on your drive, may not try and browse it using conventional means. Instead, they might employ the use of a tool, such as FTK, to scan the drive and retrieve specific types of content.

These tools are capable of analysing individual clusters on your hard drive, and finding patterns (Google: Magic Numbers Programming) which are indicitative of a file's type. This type of analysis can be performed even after the Master File Table (in NTFS, the section of your hard drive which holds the name of each file) has been erased (be formatting your drive, for example).

This is applicable to your question as follows:

A motivated attacker gains physical access to your friends computer

The attacker makes an exact copy of your friend's hard drive

The attacker uses FTK to find all images on your friend's hard-drive

The attacker analyses each of the images retrieved for sensitive content

Again, this is completely independent of the files name, and can be done even after the hard drive has been formatted, as long as the unallocated space where the file used to reside has not yet been overridden.

It's also possible to increase the probability of finding a match in this manner by tightening the filter on what type of files are being returned. For example, you may want to search for all JPEG, GIF and PNG files between 5KB and 50KB in size.